update security advisory filter

Author: kbukum1

maven/lib/dependabot/maven/package/package_details_fetcher.rb

@@ -43,7 +43,7 @@ def initialize(dependency:, dependency_files:, credentials:) # rubocop:disable M
           @dependency_metadata_from_html = T.let({}, T::Hash[T.untyped, Nokogiri::HTML::Document])
           @repository_finder = T.let(nil, T.nilable(Maven::FileParser::RepositoriesFinder))
           @repositories = T.let(nil, T.nilable(T::Array[T::Hash[String, T.untyped]]))
-          @released_check = T.let({}, T::Hash[Version, T::Boolean])
+          @released_check = T.let({}, T::Hash[String, T::Boolean])
           @auth_headers_finder = T.let(nil, T.nilable(Utils::AuthHeadersFinder))
           @dependency_parts = T.let([], T::Array[String])
           @dependency_classifier = T.let(nil, T.nilable(String))
@@ -194,7 +194,7 @@ def fetch_dependency_metadata(repository_details)
           nil
         end
 
-        sig { params(version: Version).returns(T::Boolean) }
+        sig { params(version: String).returns(T::Boolean) }
         def released?(version)
           @released_check[version] ||=
             repositories.any? do |repository_details|
@@ -337,7 +337,7 @@ def dependency_metadata_url(repository_url)
         #   repository_url: https://repo.maven.apache.org/maven2
         #   version: 5.0.0
         #   returns: https://repo.maven.apache.org/maven2/org/junit/jupiter/junit-jupiter-api/5.0.0/junit-jupiter-api-5.0.0.jar
-        sig { params(repository_url: String, version: Version).returns(String) }
+        sig { params(repository_url: String, version: String).returns(String) }
         def dependency_files_url(repository_url, version)
           _, artifact_id = @dependency_parts
           url = dependency_base_url(repository_url)

maven/lib/dependabot/maven/update_checker/version_finder.rb

@@ -1,4 +1,4 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
 require "dependabot/update_checkers/version_filters"
@@ -52,36 +52,68 @@ def package_details_fetcher
           )
         end
 
-        sig { returns(T::Array[T::Hash[Symbol, T.untyped]]) }
-        def versions
-          package_details_fetcher.versions
+        sig { returns(Dependabot::Package::PackageDetails) }
+        def package_details
+          package_details_fetcher.package_details
         end
 
         sig { returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
         def latest_version_details
-          possible_versions = versions
-
+          possible_versions = package_details.releases
           possible_versions = filter_prereleases(possible_versions)
           possible_versions = filter_date_based_versions(possible_versions)
           possible_versions = filter_version_types(possible_versions)
           possible_versions = filter_ignored_versions(possible_versions)
 
-          possible_versions.reverse.find { |v| package_details_fetcher.released?(v.fetch(:version)) }
+          release = possible_versions.reverse.find do |r|
+            package_details_fetcher.released?(r.version.version)
+          end
+
+          return unless release
+
+          { version: release.version, source_url: release.url }
+        end
+
+        sig do
+          params(
+            possible_versions: T::Array[Dependabot::Package::PackageRelease]
+          ).returns(T::Array[Dependabot::Package::PackageRelease])
+        end
+        def filter_vulnerable_versions(possible_versions)
+          return possible_versions if @security_advisories.empty?
+
+          filtered = possible_versions.reject do |release|
+            security_advisories.any? do |advisory|
+              advisory.vulnerable?(release.version)
+            end
+          end
+
+          if possible_versions.count > filtered.count
+            diff = possible_versions.count - filtered.count
+            Dependabot.logger.info("Filtered out #{diff} vulnerable versions")
+          end
+
+          filtered
         end
 
         sig { returns(T.nilable(T::Hash[T.untyped, T.untyped])) }
         def lowest_security_fix_version_details
-          possible_versions = versions
+          possible_versions = package_details.releases
 
           possible_versions = filter_prereleases(possible_versions)
           possible_versions = filter_date_based_versions(possible_versions)
           possible_versions = filter_version_types(possible_versions)
-          possible_versions = Dependabot::UpdateCheckers::VersionFilters.filter_vulnerable_versions(possible_versions,
-                                                                                                    security_advisories)
+          possible_versions = filter_vulnerable_versions(possible_versions)
           possible_versions = filter_ignored_versions(possible_versions)
           possible_versions = filter_lower_versions(possible_versions)
 
-          possible_versions.find { |v| package_details_fetcher.released?(v.fetch(:version)) }
+          release = possible_versions.find do |r|
+            package_details_fetcher.released?(r.version.version)
+          end
+
+          return unless release
+
+          { version: release.version, source_url: release.url }
         end
 
         private
@@ -99,31 +131,42 @@ def lowest_security_fix_version_details
         sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
         attr_reader :security_advisories
 
-        sig { params(possible_versions: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
+        sig do
+          params(possible_versions: T::Array[Dependabot::Package::PackageRelease])
+            .returns(T::Array[Dependabot::Package::PackageRelease])
+        end
         def filter_prereleases(possible_versions)
           return possible_versions if wants_prerelease?
 
-          filtered = possible_versions.reject { |v| v.fetch(:version).prerelease? }
+          filtered = possible_versions.reject { |release| release.version.prerelease? }
           if possible_versions.count > filtered.count
             Dependabot.logger.info("Filtered out #{possible_versions.count - filtered.count} pre-release versions")
           end
           filtered
         end
 
-        sig { params(possible_versions: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
+        sig do
+          params(possible_versions: T::Array[Dependabot::Package::PackageRelease])
+            .returns(T::Array[Dependabot::Package::PackageRelease])
+        end
         def filter_date_based_versions(possible_versions)
           return possible_versions if wants_date_based_version?
 
-          filtered = possible_versions.reject { |v| v.fetch(:version) > version_class.new(1900) }
+          filtered = possible_versions.reject { |release| release.version > version_class.new(1900) }
           if possible_versions.count > filtered.count
             Dependabot.logger.info("Filtered out #{possible_versions.count - filtered.count} date-based versions")
           end
           filtered
         end
 
-        sig { params(possible_versions: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
+        sig do
+          params(possible_versions: T::Array[Dependabot::Package::PackageRelease])
+            .returns(T::Array[Dependabot::Package::PackageRelease])
+        end
         def filter_version_types(possible_versions)
-          filtered = possible_versions.select { |v| matches_dependency_version_type?(v.fetch(:version)) }
+          filtered = possible_versions.select do |release|
+            matches_dependency_version_type?(release.version)
+          end
           if possible_versions.count > filtered.count
             diff = possible_versions.count - filtered.count
             classifier = dependency.version&.split(/[.\-]/)&.last
@@ -132,15 +175,18 @@ def filter_version_types(possible_versions)
           filtered
         end
 
-        sig { params(possible_versions: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
+        sig do
+          params(possible_versions: T::Array[Dependabot::Package::PackageRelease])
+            .returns(T::Array[Dependabot::Package::PackageRelease])
+        end
         def filter_ignored_versions(possible_versions)
           filtered = possible_versions
 
           ignored_versions.each do |req|
             ignore_requirements = Maven::Requirement.requirements_array(req)
             filtered =
               filtered
-              .reject { |v| ignore_requirements.any? { |r| r.satisfied_by?(v.fetch(:version)) } }
+              .reject { |release| ignore_requirements.any? { |r| r.satisfied_by?(release.version) } }
           end
 
           if @raise_on_ignored && filter_lower_versions(filtered).empty? &&
@@ -156,12 +202,15 @@ def filter_ignored_versions(possible_versions)
           filtered
         end
 
-        sig { params(possible_versions: T::Array[T.untyped]).returns(T::Array[T.untyped]) }
+        sig do
+          params(possible_versions: T::Array[Dependabot::Package::PackageRelease])
+            .returns(T::Array[Dependabot::Package::PackageRelease])
+        end
         def filter_lower_versions(possible_versions)
           return possible_versions unless dependency.numeric_version
 
-          possible_versions.select do |v|
-            v.fetch(:version) > dependency.numeric_version
+          possible_versions.select do |release|
+            release.version > dependency.numeric_version
           end
         end
 
@@ -179,7 +228,7 @@ def wants_date_based_version?
           T.must(dependency.numeric_version) >= version_class.new(100)
         end
 
-        sig { params(comparison_version: Version).returns(T::Boolean) }
+        sig { params(comparison_version: Dependabot::Version).returns(T::Boolean) }
         def matches_dependency_version_type?(comparison_version)
           return true unless dependency.version
 

maven/spec/dependabot/maven/update_checker/version_finder_spec.rb

@@ -658,7 +658,9 @@
         let(:raise_on_ignored) { true }
 
         it "raises an error" do
-          expect { lowest_security_fix_version_details }.to raise_error(Dependabot::AllVersionsIgnored)
+          expect { lowest_security_fix_version_details }.to raise_error(
+            Dependabot::AllVersionsIgnored
+          )
         end
       end
     end
@@ -676,35 +678,43 @@
     end
   end
 
-  describe "#versions" do
-    subject(:versions) { finder.versions }
+  describe "#package_details" do
+    subject(:package_details) { finder.package_details }
 
-    its(:count) { is_expected.to eq(70) }
+    it "returns package details" do
+      expect(package_details).to be_a(Dependabot::Package::PackageDetails)
+    end
 
-    describe "the first version" do
-      subject { versions.first }
+    # Since the `releases` is the new `versions`, we assert the count of releases
+    its(:releases) { is_expected.to have(70).items }
 
-      its([:version]) { is_expected.to eq(version_class.new("r03")) }
+    describe "the first release" do
+      subject { package_details.releases.first }
 
-      its([:source_url]) do
-        is_expected.to eq("https://repo.maven.apache.org/maven2")
-      end
+      its(:version) { is_expected.to eq(version_class.new("r03")) }
+
+      its(:url) { is_expected.to eq("https://repo.maven.apache.org/maven2") }
+      its(:released_at) { is_expected.to eq(Time.parse("2017-09-10 18:08")) }
+      its(:yanked?) { is_expected.to be(false) }
+      its(:latest) { is_expected.to be(false) }
     end
 
-    describe "the last version" do
-      subject { versions.last }
+    describe "the last release" do
+      subject { package_details.releases.last }
 
-      its([:version]) { is_expected.to eq(version_class.new("23.7-rc1-jre")) }
+      its(:version) { is_expected.to eq(version_class.new("23.7-rc1-jre")) }
 
-      its([:source_url]) do
-        is_expected.to eq("https://repo.maven.apache.org/maven2")
-      end
+      its(:url) { is_expected.to eq("https://repo.maven.apache.org/maven2") }
+      its(:released_at) { is_expected.to eq(Time.parse("2020-01-01 00:00")) }
+      its(:yanked?) { is_expected.to be(false) }
+      its(:latest) { is_expected.to be(false) }
     end
 
     context "with a dependency name that needs URI encoding" do
       let(:dependency_name) { "bad com.google.guava:guava" }
 
-      its(:count) { is_expected.to eq(0) }
+      # Expect that no releases exist for this dependency
+      its(:releases) { is_expected.to be_empty }
     end
 
     context "with a custom repository" do
@@ -739,58 +749,50 @@
           .to_return(status: 404, body: "")
       end
 
-      describe "the first version" do
-        subject { versions.first }
+      describe "the first release" do
+        subject { package_details.releases.first }
 
-        its([:version]) { is_expected.to eq(version_class.new("r03")) }
+        its(:version) { is_expected.to eq(version_class.new("r03")) }
 
-        its([:source_url]) do
-          is_expected.to eq("http://repository.jboss.org/maven2")
-        end
+        its(:url) { is_expected.to eq("http://repository.jboss.org/maven2") }
       end
 
-      describe "the last version" do
-        subject { versions.last }
+      describe "the last release" do
+        subject { package_details.releases.last }
 
-        its([:version]) { is_expected.to eq(version_class.new("23.7-rc1-jre")) }
+        its(:version) { is_expected.to eq(version_class.new("23.7-rc1-jre")) }
 
-        its([:source_url]) do
-          is_expected.to eq("http://repository.jboss.org/maven2")
-        end
+        its(:url) { is_expected.to eq("http://repository.jboss.org/maven2") }
       end
+    end
 
-      context "when augmenting the central repo" do
-        before do
-          body =
-            fixture("maven_central_metadata", "with_date_releases.xml")
-          stub_request(:get, maven_central_metadata_url)
-            .to_return(status: 200, body: body)
-          # 404 causes Dependabot to fall back to the central repo
-          stub_request(:get, jboss_metadata_url)
-            .to_return(status: 404)
-        end
+    context "when augmenting the central repo" do
+      before do
+        body =
+          fixture("maven_central_metadata", "with_date_releases.xml")
+        stub_request(:get, maven_central_metadata_url)
+          .to_return(status: 200, body: body)
+        # 404 causes Dependabot to fall back to the central repo
+        stub_request(:get, jboss_metadata_url)
+          .to_return(status: 404)
+      end
 
-        its(:count) { is_expected.to eq(17) }
+      its(:releases) { is_expected.to have(17).items }
 
-        describe "the first version" do
-          subject { versions.first }
+      describe "the first release" do
+        subject { package_details.releases.first }
 
-          its([:version]) { is_expected.to eq(version_class.new("r01")) }
+        its(:version) { is_expected.to eq(version_class.new("r01")) }
 
-          its([:source_url]) do
-            is_expected.to eq("https://repo.maven.apache.org/maven2")
-          end
-        end
+        its(:url) { is_expected.to eq("https://repo.maven.apache.org/maven2") }
+      end
 
-        describe "the last version" do
-          subject { versions.last }
+      describe "the last release" do
+        subject { package_details.releases.last }
 
-          its([:version]) { is_expected.to eq(version_class.new("20040616")) }
+        its(:version) { is_expected.to eq(version_class.new("20040616")) }
 
-          its([:source_url]) do
-            is_expected.to eq("https://repo.maven.apache.org/maven2")
-          end
-        end
+        its(:url) { is_expected.to eq("https://repo.maven.apache.org/maven2") }
       end
     end
   end